EP1881435A1 - Verfahren und Vorrichtung zur Detektion von Netzattacken durch die Bestimmung von zeitlichen Datenkorrelationen - Google Patents

Verfahren und Vorrichtung zur Detektion von Netzattacken durch die Bestimmung von zeitlichen Datenkorrelationen Download PDF

Info

Publication number
EP1881435A1
EP1881435A1 EP07301162A EP07301162A EP1881435A1 EP 1881435 A1 EP1881435 A1 EP 1881435A1 EP 07301162 A EP07301162 A EP 07301162A EP 07301162 A EP07301162 A EP 07301162A EP 1881435 A1 EP1881435 A1 EP 1881435A1
Authority
EP
European Patent Office
Prior art keywords
frames
network
distribution
tri
detecting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP07301162A
Other languages
English (en)
French (fr)
Inventor
Stanislas Francfort
Laurent Butti
Franck Veysset
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Publication of EP1881435A1 publication Critical patent/EP1881435A1/de
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to the field of communication networks and in particular to the detection that at least one device sends a large number of frames. More particularly, the invention makes it possible to detect attacks of denial of service type by flooding performed on the network by hackers.
  • Flooding denial of service attack is characterized, for example, by sending a large number of malformed or nonconforming frames. This can disrupt the operation of means that are intended to recognize and report, by alerts, all kinds of attacks made on the network. This also makes exploiting these alerts more difficult.
  • the means for recognizing and reporting attacks associate each malformed or non-compliant frame with an alert. A large number of alerts are then stored in a database, which disrupts the exploitation of this information by an administrator in charge of monitoring the network.
  • alerts can be grouped together.
  • the aggregation of alerts occurs when a large number of frames, greater than a certain threshold, is received by the means for recognizing and reporting attacks.
  • the identification address is normally unique for a given piece of equipment, which inscribes it in the frames it emits.
  • the present invention makes it possible to overcome or at least reduce all or part of the aforementioned drawbacks by detecting that one and the same equipment sends a large number of frames, and more particularly when this equipment sends a large number of frames using several addresses. identification to issue them.
  • a first object of the present invention relates to a detection method, that at least one equipment sends a large number of frames, comprising a step of analyzing a distribution of time differences ( ⁇ i) between frames (Tri, Tri + 1) sent over the network, to determine if said distribution corresponds to a distribution with memory.
  • ⁇ i time differences
  • Tri Tri + 1
  • the method which is the subject of the invention has the additional characteristics taken separately or in combination, set out below:
  • the time differences correspond to the difference in reception time between frames sent on the network.
  • the analysis is based on easily determinable temporal values.
  • the time differences correspond to the difference of time tags between frames sent on the network. This eliminates the time offsets that can occur when the frames pass through the transmission medium.
  • a fifth object of the invention relates to a method for detecting attacks in a communication network comprising a step of analyzing a distribution of time differences ( ⁇ i) between frames (Tri, Tri + 1) sent over the network. , to determine if said distribution corresponds to a distribution with memory.
  • a sixth object of the invention relates to a computer program on a data carrier and loadable in the internal memory of a computer, said program comprising portions of code for performing the steps of a detection method of attacks in a communication network when the program is run on said computer
  • the invention is described below in a particular application to the detection of denial of service attacks. This detection can be incorporated into a device for detecting all or part of the attacks performed on a communication network.
  • Fig. 1 shows a block diagram of a detection device that at least one device sends a large number of frames according to the invention.
  • Equipment 12a, 12b, 12c communicate with a communication network.
  • the equipment may be fixed or mobile computers or any other communicating terminal.
  • the network can be of any type. It can be a wired network such as the Internet or Ethernet. Alternatively, it may be a wireless network, such as a Wi-Max or Wi-Fi network. This type of network is also currently widely used in Hot-Spot, Enterprise and Residential networks.
  • the equipment 12a, 12b, 12c communicate by sending frames on this network.
  • frame is meant here a set of data forming a block transmitted in a network and containing useful data and service information.
  • a frame may be described as data packets, datagram, data block, or other expression of this type.
  • the frames sent by the various equipment 12a, 12b, 12c are received at means 14 for receiving them.
  • These means 14 are for example at least one probe listening to the network. By listening is meant that the probe or probes copy at least a portion of the frames transmitted on the network in a table or buffer.
  • the means 14 may be a central collector connected to several probes. This variant makes it possible to listen to a network, in particular a wireless network, at different locations and then centralize the processing of the frames.
  • the probes can be independent structures or software that is part of another structure. In addition, a probe can be distributed over several structures.
  • the monitored frames are then sent to means 16 for selecting the frames.
  • the means 16 will select at least a portion of the received frames, and submit them to the means 17 for analyzing a temporal correlation.
  • the means 17 thus have the function of determining whether there is a temporal link between at least a portion of the frames received by the means 14. Indeed, during a denial of service flooding attack, a large number of frames is issued by the equipment controlled by the hacker. A large number of frames means more than a benevolent device when communicating normally with the network. But when equipment sends frames, they are linked temporally between them for physical reasons. Indeed, the frames are generated by a sequential loop clocked by the basic clock of the equipment. Thus the frames are sent periodically. There is therefore a strong temporal link between these frames and this even if the data sent have no logical connection between them.
  • the means 17 for analyzing a correlation can thus be its own structures or software.
  • the means 17 can be combined on the same structure as at least one probe. They can also be spread over several structures.
  • Time correlation analysis means 17 will then send information to means for recognizing and reporting any kind of attack.
  • These means 10 may be, for example, intrusion detection systems (IDS) or intrusion prevention systems (IPS).
  • IDS intrusion detection system
  • IPS intrusion prevention systems
  • An intrusion detection system (IDS) is a set of software and / or hardware components whose main function is to recognize and report any attempted break-in.
  • An intrusion prevention system generally includes the functions of a IDS to which network prevention and protection functions are added.
  • the information sent by the means 17 may be an alert signaling a denial of service attack.
  • the information sent may signal that a particular sample of scanned frames has a suspicious character. They can thus potentially create a flood-denial of service attack.
  • step 51 When an equipment, for example the equipment 12a, sends a large number of frames, they are listened to in step 51, by the means 14. These means 14 associate each received frame Tr, Tr + 1 for one moment. receiver ti, ti + 1, for example a number in milliseconds. The frames to be analyzed will then be selected in step 52. These frames are then available for the means 17 for analyzing a time correlation in step 53.
  • a first method, to determine the existence of a link between the frames, is to determine if there is a temporal autocorrelation between them. For this purpose, the time of reception of the frames over a given period is analyzed and an alarm is emitted by the means 17. This alert is emitted when it is determined that a profile representing several times of arrival of frames repeats itself. .
  • a second method consists of analyzing whether or not a distribution of variables X, characteristic of the frames, is a distribution without memory, that is to say if the instant of arrival of a frame is linked to the instant d arrival of a previous.
  • An X variable distribution corresponds to a non-memory distribution if and only if any "s" and "t" positive, the probability that [X> t + s knowing X> t] is equal to the probability that [X> s ].
  • This amounts to determining whether the distribution of the X variables is, for example, in adequacy with the Levy process. As a variant, this amounts to determining if the distribution of the variables X is in adequacy with the law of fish.
  • the method is thus robust because it allows a certain margin of error in the analysis of a temporal correlation between the frames.
  • the time delays may be due to the physical environment constituting the network.
  • the variable X may be the time difference ⁇ i between the instant of arrival of the frames received by the means 14.
  • time difference ⁇ i thus corresponds to the time difference, ti and ti + 1, between two frames, Tri and Tri + 1, successively received by the means 14.
  • the variable X may be the time difference ⁇ i corresponding to the time difference, ti and ti + 1, between two frames, Tri and Tri + 1, successively selected by the frame selection means 16.
  • the task of the means 17 is then to analyze whether the temporal distribution of the time differences ⁇ i between the selected frames Tri, Tri + 1 sent on the network corresponds or not to a distribution with memory. This amounts to determining if the distribution of ⁇ i is in adequacy, for example, with the law of fish.
  • n the number of frames processed by the correlator.
  • n may be of the order of 10 000 frames.
  • the means 17 for analyzing a correlation go first to classify the sample D into equivalence classes Xj (j varying from 1 to k). Each equivalence class corresponds to a time interval of fixed duration, for example 1 millisecond. For each class Xj, we associate the number nj of xi equal to each other.
  • the correlator then groups the ejs by summing the neighboring ej, so that only classes with a value greater than or equal to 10000 * S remain.
  • L of theoretical numbers ej with ej> 500 for example: [1045.087640098437, 1589.0868270596, 2030.9589041040, 1946.7756575289, 1492.8654452194, 953.9907816767, 941.2347443128931]
  • the correlator groups the Xj in the same way by adding the values for which the ej have been summed, j now varying from 1 to k0 for the Xj, as for the ej.
  • Step 55 corresponds to our example where E ⁇ h, the distribution is therefore a non-memory distribution and it is estimated that there is no flood denial of service attack.
  • Step 56 corresponds to the opposite case where E> h, the distribution is then a distribution with memory and it is estimated that there is a potential attack. Note that the detection device that at least one equipment sends a large number of frames works, even if one or more devices perform a denial of service attack by flood, and even if one or more benevolent equipment communicate with the network.
  • FIG. 2 shows an example, in which the device for detecting that at least one device sends a large number of frames, is included in a more general device for detecting attacks 20.
  • the term "attack” here encompasses all types of possible attacks on a network, namely passive attacks (eg retrieval of message content, traffic analysis, etc.) and active attacks (eg masquerade, denial of service etc.).
  • Equipment 22a, 22b, 22c emit frames on the network. These are received by means 24 intended to receive frames.
  • the frames are then selected by means 26 which will provide the frames to be analyzed by means 27 for analyzing a correlation.
  • the selection may include all received frames.
  • the selection may also retain only the frames having a new identification address.
  • the identification address may be, for example, a MAC ("Medium Access Control") address, or an IP ("Internet Protocol”) address.
  • the means 27 may possibly detect a periodicity in the modification of these identification addresses. Indeed, the modification of the addresses is particularly dependent on the basic clock of the pirate transmitter equipment. As a variant, the selection may relate to a particular type of frame, such as BEACON frames, authentication frames, or any other type of well-identified frame that may be sent in number by a hacker. If the distribution of the time differences ⁇ i appears suspect to the means 27, the frames associated with these time differences will be directed to a means 28 of additional processing.
  • the associated frames will be directed to means 21a, 21b for recognizing and reporting any kind of attacks.
  • These means can also receive the frames not selected by the means 26.
  • These means comprise comparison means 21a and knowledge bases 21b.
  • the bases include all or part of the signatures of possible attacks on a communication network.
  • the comparison means 21a are capable, by comparison with the bases of 21b, to report the frames including suspicious parts.
  • Each suspect frame is then associated with an alert that will be stored in an event log 25.
  • the event log 25 is then exploited by an administrator in charge of network security. This administrator can be a human analyzing alerts via a monitor 29 or "Graphical User Interface".
  • the event log 25 can also be operated automatically without human intervention.
  • the administrator is thus able to track, in time, attacks taking place on the network.
  • the means 26, 27 thus act as a filter. They prevent alerts from being issued on suspicious frames potentially participating in a flood denial of service attack.
  • the operation of the event log by an administrator, especially a human being, is thus more efficient, the monitor 29 being less overloaded with alerts.
  • a critical attack, embedded in the noise created by the number of frames, will be more easily detectable.
  • An attack detection device 20 may thus comprise all the means 24, 26, 27, 28, 21a, 21b, 25, 29.
  • FIG. 3 shows a device for detecting that at least one device sends a large number of frames included in a more global device for detecting attacks.
  • This example differs in particular from the preceding one in that the means 37 of analysis of time correlation are part of an attack search engine 31a belonging to the device 30.
  • This device 30 includes other attack search engines 31b, 31c working in parallel on the frames received by the means 34.
  • Each engine sends alerts to an event log 35 operated by an administrator via for example a monitor 39.
  • the engine 31a will thus send a alert in case it detects a denial of service attack by flooding.
  • An attack detection device 30 may thus comprise all the means 34, 31a, 31b, 31c, 34, 39.
  • FIG. 4 shows a device for detecting that at least one device sends a large number of frames included in a more global device for detecting attacks 40.
  • a device 42c of a hacker usurps the address identification of an access point 45, communicating with different legitimate equipment 42a, 42b.
  • the equipment 42c can perform a denial of service attack by sending "broadcast", that is to say to all the equipment 42a, 42b, certain frames, for example frames of de-authentication or disassembly. These frames are notably found in wireless networks.
  • the equipment 42a, 42b will then disconnect from the access point 45, and thus deprive itself of service, believing that the request comes from this point 45.
  • the access point 45 is, for example, connected to a wired network 43 supervised by a server 48.
  • hackers act here directly on legitimate equipment.
  • the massive sending of frames of de-authentication or disassembly thus prevents their reconnection to the access point 45.
  • a device 40 will detect this attack. It has for this means 46 that will select at least a portion of the frames received by the means 44. The means 46 will for example select the de-authentication frames. If the means 47 detect a correlation between the selected frames, they will then send an alert to an event log. This log will then be analyzed by a network administrator via for example a monitor 49. The administrator can counter the attack by trying, for example, to physically locate and disable the malicious equipment. The administrator can also prevent the equipment 42a, 42b from no longer listening to the frames sent in "broadcast".
  • the invention is thus particularly suitable for wireless networks. These networks are indeed subject to numerous attacks by hackers.
  • Some frames sent on this network have a time tag.
  • the temporal label of a frame includes temporal information relating to the transmission of this frame.
  • This time information is constituted here of the value of the base clock of the transmitting equipment which transmitted the frame at the time of transmission of this frame.
  • the time difference ⁇ i can thus be the difference between the time labels belonging to at least a portion of the frames, Tri and Tri + 1, received by the means 44. This eliminates the time differences that can occur when the frames pass through the transmission medium.
  • Frames containing such Time tags are not examples BEACON frames or PROBE RESPONSE.
  • the execution of the steps of the detection method that at least one device sends a large number of frames and more generally the execution of the steps of the attack detection method can be done using a program loaded on a computer.
  • the execution of the steps of the detection method that at least one device sends a large number of frames and more generally the execution of the steps of the attack detection method can be done using a program loaded on a programmable component.
  • the method of detecting that at least one device sends a large number of frames over a network has been described in its particular application to the detection of attacks, and more particularly to the detection of denial of service attacks by flooding. .
  • This method can be used for other applications than attack detection and can be used for any application that requires the same equipment to send a large number of frames.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP07301162A 2006-07-18 2007-06-27 Verfahren und Vorrichtung zur Detektion von Netzattacken durch die Bestimmung von zeitlichen Datenkorrelationen Withdrawn EP1881435A1 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
FR0653021 2006-07-18

Publications (1)

Publication Number Publication Date
EP1881435A1 true EP1881435A1 (de) 2008-01-23

Family

ID=37946161

Family Applications (1)

Application Number Title Priority Date Filing Date
EP07301162A Withdrawn EP1881435A1 (de) 2006-07-18 2007-06-27 Verfahren und Vorrichtung zur Detektion von Netzattacken durch die Bestimmung von zeitlichen Datenkorrelationen

Country Status (2)

Country Link
US (1) US20080022402A1 (de)
EP (1) EP1881435A1 (de)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103229528B (zh) * 2010-11-25 2017-02-15 汤姆逊许可公司 无线通信设备的指纹识别的方法和设备
EP3474589A1 (de) * 2012-11-22 2019-04-24 Koninklijke KPN N.V. System zur verhaltenserkennung in einem telekommunikationsnetzwerk

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004056063A1 (en) * 2002-12-13 2004-07-01 Cetacea Networks Corporation Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function
WO2006035140A1 (fr) * 2004-09-30 2006-04-06 France Telecom Procede, dispositif et programme de detection d'usurpation de point d'acces.

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266754B2 (en) * 2003-08-14 2007-09-04 Cisco Technology, Inc. Detecting network denial of service attacks
JP2005277804A (ja) * 2004-03-25 2005-10-06 Hitachi Ltd 情報中継装置
CN100370757C (zh) * 2004-07-09 2008-02-20 国际商业机器公司 识别网络内分布式拒绝服务攻击和防御攻击的方法和系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004056063A1 (en) * 2002-12-13 2004-07-01 Cetacea Networks Corporation Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function
WO2006035140A1 (fr) * 2004-09-30 2006-04-06 France Telecom Procede, dispositif et programme de detection d'usurpation de point d'acces.

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
BURGESS ET AL: "Probabilistic anomaly detection in distributed computer networks", SCIENCE OF COMPUTER PROGRAMMING, ELSEVIER BV, NL, vol. 60, no. 1, 1 March 2006 (2006-03-01), pages 1 - 26, XP027926335, ISSN: 0167-6423, [retrieved on 20060301] *
MARK CROVELLA: "Network Traffic Modeling", SIGCOMM 2004, 30 August 2004 (2004-08-30), https://www.cs.bu.edu/faculty/crovella/tutorial-2up.pdf, XP055022830 *
OWEZARSKI P: "On the Impact of DoS Attacks on Internet Traffic Characteristics and QoS", COMPUTER COMMUNICATIONS AND NETWORKS, 2005. ICCCN 2005. PROCEEDINGS. 14TH INTERNATIONAL CONFERENCE ON SAN DIEGO, CA, USA 17-19 OCT. 2005, PISCATAWAY, NJ, USA,IEEE, 17 October 2005 (2005-10-17), pages 269 - 274, XP010846070, ISBN: 0-7803-9428-3 *
PIN REN ET AL: "IDGraphs: Intrusion Detection and Analysis Using Histographs", VISUALIZATION FOR COMPUTER SECURITY, 2005. (VIZSEC 05). IEEE WORKSHOP ON MINNEAPOLIS, MN, USA OCT. 26, 2005, PISCATAWAY, NJ, USA,IEEE, 26 October 2005 (2005-10-26), pages 39 - 46, XP010852595, ISBN: 0-7803-9477-1 *
WEI YAN ED - YUE HAO ET AL: "Measuring the Histogram Feature Vector for Anomaly Network Traffic", 1 January 2006, COMPUTATIONAL INTELLIGENCE AND SECURITY LECTURE NOTES IN COMPUTER SCIENCE;LECTURE NOTES IN ARTIFICIAL INTELLIG ENCE;LNCS, SPRINGER, BERLIN, DE, PAGE(S) 279 - 284, ISBN: 978-3-540-30819-5, XP019031290 *

Also Published As

Publication number Publication date
US20080022402A1 (en) 2008-01-24

Similar Documents

Publication Publication Date Title
US10721243B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
Vasilomanolakis et al. Taxonomy and survey of collaborative intrusion detection
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
US7930746B1 (en) Method and apparatus for detecting anomalous network activities
US8990938B2 (en) Analyzing response traffic to detect a malicious source
CN101176331B (zh) 计算机网络入侵检测系统和方法
Estevez-Tapiador et al. Anomaly detection methods in wired networks: a survey and taxonomy
US7408458B1 (en) Method and apparatus for suppressing duplicate alarms
US7644283B2 (en) Media analysis method and system for locating and reporting the presence of steganographic activity
US20120174219A1 (en) Identifying mobile device reputations
US9641545B2 (en) Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network
US20100125663A1 (en) Systems, methods, and devices for detecting security vulnerabilities in ip networks
US7500266B1 (en) Systems and methods for detecting network intrusions
EP1794934A1 (de) Verfahren, vorrichtung und programm zur detektion einer nichtautorisierten verbindung zu zugangspunkten
US20200195672A1 (en) Analyzing user behavior patterns to detect compromised nodes in an enterprise network
Mangino et al. Internet-scale insecurity of consumer internet of things: An empirical measurements perspective
US11677777B1 (en) Situational awareness and perimeter protection orchestration
EP1842389A1 (de) Verfahren, vorrichtung und programm zur detektion von ip-spoofing in einem drahtlosen netzwerk
CN114301706B (zh) 基于目标节点中现有威胁的防御方法、装置及系统
WO2021018440A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
Yu et al. TRINETR: an intrusion detection alert management systems
EP1849261A1 (de) Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk
EP1881435A1 (de) Verfahren und Vorrichtung zur Detektion von Netzattacken durch die Bestimmung von zeitlichen Datenkorrelationen
CN113794731B (zh) 识别基于cdn流量伪装攻击的方法、装置、设备和介质
US20220263861A1 (en) Detecting botnets

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR MK YU

17P Request for examination filed

Effective date: 20080522

17Q First examination report despatched

Effective date: 20080623

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE SI SK TR

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ORANGE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20150106